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1 Introduction 

The Internet of Things is nothing new. First introduced 
as Ubiquitous Computing by Mark Weiser [49] around 
1990, the basic concept of the "disappearing computer" 
has been studied as Ambient Intelligence or Pervasive 
Computing in the decades that followed. Today we wit- 
ness the first large scale applications of these ideas. We 
sec RFID technology being used in logistics, shopping, 
public transport and the like. The use of smart phones 
is soaring. Many of them are able to determine their 
location using GPS (Global Positioning System). Some 
phones already have NFC (Near Field Communication) 
capabilities, allowing them to communicate with ob- 
jects tagged with RFID directly. Combined with social 
networking (like Facebook or Twitter), this gives rise to 
advanced location based services, and augmented real- 
ity applications. In fact social networks interconnecting 
things as well as humans have already emerged. Exam- 
ple are Patchube, a web-based service built to manage 
the world's real-time data 1 and Flukso, a web-based 
community metering application 2 . 

As the full ramifications of the Internet of Things 
start to unfold, this confluence of cyberspace and phys- 
ical space is posing interesting new and fundamental 
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research challenges. In particular, as we will argue in 
this essay, it has a huge impact in the area of security, 
privacy and trustability. As Bruce Schneier puts it in a 
recent issue of CryptoGram [38] (while discussing IT in 
general): 

"[...] it's not under your control, it's doing things 
without your knowledge and consent, and it's 
not necessarily acting in your best interests." 

The question then is how to ensure that, despite these 
adverse conditions, the Internet of Things is a safe, 
open, supportive and in general pleasant environment 
for people to engage with, or in fact for people to live 
in. 

This essay is structured as follows. We define the 
Internet of Things in section 2, and describe the main 
privacy, security and trustability issues associated with 
it in section 3. Solutions to these problems will have to 
deal with certain constraints, as explained in section 4. 
Section 5 discusses classical solutions based on data 
minimisation techniques, while section 6 discusses more 
recent alternative approaches. We conclude with an ex- 
tensive overview of research challenges in section 7. 



2 The vision 

What exactly is the Internet of Things? Many defi- 
nitions can be given. At a basic level the Internet of 
Things is a dynamic global network infrastructure with 
self configuring capabilities where physical and virtual 
"things" have identities, physical attributes, and virtual 
personalities. They use intelligent interfaces, and are 
seamlessly integrated into the information network [43] . 
Such "things" could be a pair of jeans (with an RFID 
tag attached), a light switch, a light bulb, a fridge, a 
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washing machine, or any other sensor or actuator: the 
list of things is basically endless. All these things be- 
come first class members of the Internet, sharing their 
data with the world, and using the world's data for their 
own purposes. 

Far more interesting is the envisioned applications 
of the Internet of Things to realise the Ambient Intel- 
ligence (Ami) concept. This concept 

. . . provides a vision of the Information Society 
future where the emphasis is on user friendliness, 
efficient and distributed services support, user- 
empowerment, and support for human interac- 
tions. People are surrounded by intelligent intu- 
itive interfaces that are embedded in all kinds 
of objects and an environment that is capable 
of recognising and responding to the presence of 
different individuals in a seamless, unobtrusive 
and often invisible way. [16] 

In an ambient intelligence world created using the Inter- 
net of Things, devices work in concert to support peo- 
ple in carrying out their everyday life activities, tasks 
and rituals in easy, natural ways using information and 
intelligence that is hidden in the network connecting 
these devices [1,23,20]. 

Applications of Ambient Intelligence have been pro- 
posed in a wide variety of areas, like housing (home au- 
tomation, smart washing machines), smart cities (sus- 
tainability and energy conservation), mobility (traffic 
management systems, congestion control, support for 
multi- modal transport, public transport ticketing), com- 
merce (inventory management, marketing and advertis- 
ing, store personalisation), education (digital libraries, 
digital museums), and health (self-treatment, long-distance 
monitoring) [16] to name but a few examples. 

The Internet of Things may change the way we per- 
ceive the world completely. For one thing, the world 
around us will start to perceive us as well [18]. The 
book you read may 'read' you as well. How will that 
influence our relationship with the things around us? 
How will that influence our own self image? 



2.1 Properties of the IoT 

A pervasive system like the Internet of Things is char- 
acterised by the following system properties. 

Invisible by design A pervasive system pervades the hu- 
man environment, but resides in the periphery or 
our attention. Pervasive devices are not explicitly 
there; they do not take up space on your desk, but 
are often integrated into other common objects like 



windows, doors or walls. They may not have a di- 
rect user interface, and may have limited computing, 
storage and power resources. 

Networked Devices are interconnected by a seamless 
communication infrastructure, which is dynamic and 
massively distributed. 

Many-to-many Devices do not have a 1-to-l relation- 
ship with a user. Where a laptop and a mobile phone 
are personal devices used by one user, pervasive de- 
vices are not restricted to one person as a user. One 
person can use many pervasive devices, and one per- 
vasive device can be used by many persons. 

Always on Devices are always active, it is not necessary 
to first actively switch them on before any interac- 
tion can be had with the system. 

Distributed The computing intelligence and effort of 
a pervasive system is not restricted to one device 
but is the combined computing effort of multiple 
devices. Pervasive systems are comprised of widely 
heterogeneous devices, and show emergent behaviour 

Context-aware Pervasive systems have some knowledge 
of their context. They may, for example, be aware 
of other pervasive devices in their vicinity, or they 
may be able to measure location or temperature. 

Adaptive/ spontaneous /autonomic The information re- 
trieved from sensors is used by a pervasive system to 
adapt its behaviour. This adaption is spontaneous, 
meaning that it is not triggered by a user pushing a 
button, but by more implicit actions of somebody, 
like for example entering a room. 

Natural human interface A pervasive system has an in- 
tuitive human computer interface. People should not 
need to think about how to interact with the sys- 
tem, as this should be natural, e.g. through speech, 
touch or movement. 

With this understanding of the Internet of Things and 
its properties, we are ready to discuss the potential 
problems with the Internet of Things, and possible ap- 
proaches to mitigate these problems. 

3 The problem 

The vision of the Internet of Things outlined above 
is certainly an attractive one. However, the very same 
components used to build this vision can also be used 
to create a totally different future. To prevent this vi- 
sion to become our worst nightmare, basic guarantees 
have to be implemented that will protect our privacy 
and will maintain security. This will not happen with- 
out considerable effort, for the current trend in IT is 
detrimental to security and privacy. As Schneier puts 
it [38] : "the boundary between inside and outside disap- 
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pears (deperimeterization) , data is increasingly stored 
and treated in the cloud (decentralization), general pur- 
pose computer is replaced by special purpose devices 
(deconcentration) , and smart software and devices will 
increasingly do things on our behalf (depersonization)' 1 '' . 
We will describe the main privacy, security and testa- 
bility issues below. 

3.1 Privacy 

In a world of sensors and actuators that surround us 
and support us in our day to day activities, privacy is 
obviously a big concern. 

Privacy — sometimes loosely defined as the 'right 
to be let alone' [45] — is considered a fundamental hu- 
man right in many societies. It is "essential for freedom, 
democracy, psychological well-being, individuality and 
creativity" [39]. Privacy has many dimensions (corpo- 
real, relational, etc.), but for the purpose of this essay 
we focus on the data protection aspect of it. We wish to 
stress that data protection is not the same as keeping 
personal information confidential. Data protection laws 
and regulations are much broader. They determine the 
conditions under which businesses and governments are 
allowed to collect, process and use personal information 
(proportionality and subsidiarity). They empower cit- 
izens to determine how personal data about them is 
used even after it is collected by third parties. They 
allow them to be informed about the use of their per- 
sonal information, and give them the right to correct 
personal information about themselves. 

As a consequence, privacy protection in the Internet 
of Things [17, 25] involves much more than data minimi- 
sation techniques like using pseudonyms and preventing 
data collection through proper access control. In fact, 
the vision of an Internet of Things that intelligently 
supports us in our day to day activities needs to collect 
large amounts of personal information. . . The challenge 
is to accommodate this need for personal data, while 
maintaining privacy guarantees. 

3.2 Security 

Serious integrity, authenticity, and availability concerns 
arise too in the Internet of Things. 

Consider the use of RFID tags in supply chain man- 
agement as an example. If the logistics of a company 
critically depends on the correct bookkeeping of items 
in stock through RFID tags, then inserting fake or wrong 
tags in the system can do serious damage. Radio in- 
terference or outright radio jamming may make inven- 
tory scanning impossible or highly inaccurate. Swap- 



ping tags on items in stock may allow customers to 
defraud store owners. Recent research even indicates 
that (fake) RFID tags can be used to spread computer 
viruses [35]. 

When the Internet of Things expands to other ap- 
plication areas, like health care, smart grids, and the 
like, the Internet of Things itself becomes a critical in- 
frastructure. This is especially the case when the nodes 
are not merely sensors but also actuators, whose actions 
control critical components. This imposes strong secu- 
rity requirements. Not so much regarding confidential- 
ity (although this is a concern with respect to industrial 
espionage related to supply chain information), but the 
more so regarding integrity, authenticity, and availabil- 
ity of the Internet of Things [25] . 

The issue also needs to be addressed at the manage- 
ment level. Who is in charge? And when something goes 
wrong, who is responsible? [16] These questions are not 
so easily answered in a pervasive system like the In- 
ternet of Things where a single 'point of authority' is 
lacking. 

3.3 Trustability 

An even more principal issue, that partly underlies the 
security and privacy problems associated with the In- 
ternet of Things, is that of trust, or rather, trustability. 
In sociology, trust is defined as follows [21] 

When an actor trusts another actor, she is will- 
ing to assume an open and vulnerable position. 
She expects the other to refrain from opportunis- 
tic behaviour even if there is the possibility to 
show this behaviour. 

Often designers of ICT infrastructure assume (or rather 
impose) the need to trust the infrastructure by its users, 
because adequate privacy measures are missing, proper 
security is not guaranteed, and risks are not mitigated 
in any other way. A paradigm shift is needed away from 
this paternalistic 'trust us' implementation of the ICT 
infrastructure that surround us, to a more user-centric 
'trustability' approach where the infrastructure allows 
the user to built up trust using personal tools and other 
means. We propose the following definition. 

A system is trustable, if the risk of using the sys- 
tem for a particular purpose can be reliably esti- 
mated by the user using third party tools under 
her own control, and/or using third party data 
of her own choosing. 

It is an interesting question how techniques from iden- 
tity management (and solutions to its associated prob- 
lems [2]), and the trusted computing paradigm [30] can 
be re-applied in this new context. 
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4 Constraints 

The previous section has argued that strong privacy 
and security guarantees have to built in into the Inter- 
net of Things, in order to prevent disruptions in the 
scenarios outlined above. However, implementing these 
guarantees should not interfere with the realisation of 
the Internet of Things itself. This makes developing 
such guarantees an interesting research challenge, on 
which this essay will expound further. We note that 
the recommendation of the European Commission of 
May 2009 [14] to kill RFID tags at the point-of-sale 
is a too disruptive in that respect: it strongly protects 
the privacy of the citizen, but makes it much harder to 
use RFID tags beyond the point-of-sale for all kinds of 
benevolent applications. 

Classical security countermeasures and privacy en- 
hancements do not apply to RFID due to their perva- 
siveness and limited computing power. Low cost RFID 
tags do not have the resources to perform any but the 
most primitive cryptographic operations, and their sheer 
number pose scalability problems. Similarly, new mod- 
els, policies and assessment methodologies need to be 
developed: the linking of physical objects with the net- 
worked world through RFID, and the new possibilities 
for profiling, pose new security and privacy threats that 
arc not captured by the current state of the art. So- 
lutions are further constrained by the properties of a 
pervasive system listed in section 2.1. 

5 The past: data minimisation 

Most research so far has focused on techniques to min- 
imise data collection, by implementing certain forms of 
authentication and access control while respecting the 
resource constraints inherent to RFID based systems. 
We briefly review the state of the art in this area. 

Early proposals use relabelling of tag identifiers [37] , 
or re-encryption techniques [26, 5, 19] that randomly en- 
crypt the identifier from time to time, so that it can 
only be recovered by authorised readers, while being 
untraceable for others. 

Another approach is to implement some form of au- 
thentication between tag and reader, and to allow only 
authorised tags to retrieve the tag identifier. In a public 
key setting this would be easy, but RFID tags are gener- 
ally considered to be too resource poor to accommodate 
for that. Therefore, several identification and authenti- 
cation protocols using hash functions or symmetric key 
cryptography have been proposed [48,13]. In particu- 
lar, Ohkubo, Suzuki, and Kinoshita [34] present a tech- 
nique for achieving forward privacy in tags. This prop- 
erty means that if an attacker compromises a tag, i.e., 



learns its current state and its key, she is nonetheless 
unable to identify the previous outputs of the same tag. 
In their protocol, a tag has a unique identifier idi, that 
is changed every time the tag is queried by a reader. In 
fact, when queried for the i-th time, the tag responds 
with g(idi) to the reader, and sets zdj+i = h(idi) im- 
mediately after that. In both cases, if all readers are on 
line, connected with one central database, the readers 
can be synchronised and the response of a tag can be 
looked up immediately in the database 3 . If not, or if 
synchronisation errors occur, a search over all possible 
(initial) identifiers (expanding hash chains) is necessary. 

In a symmetric key setting the reader cannot know 
the identifier of the tag a priori, or obtain the identi- 
fier of the tag at the start of the protocol because of 
privacy concerns. One can give all readers and tags the 
same symmetric key, but this has the obvious drawback 
that once the key of one tag is stolen, the whole system 
is corrupted. To increase security, tags can be given sep- 
arate keys, but then the reader must search the right 
key to use for a particular tag. The core challenge is 
therefore to provide, possibly efficient, trade offs and 
solutions for key search and key management. Molnar 
and Wagner [32] (see also [12]) propose to arrange keys 
in a tree structure, where individual tags are associated 
with leaves in the tree, and where each tag contains the 
keys on the path from its leaf to the root. In subsequent 
work Molnar, Soppera, and Wagner [31] explore ways 
in which the sub-trees in their scheme may be associ- 
ated with individual tags. In another approach, Avoine, 
Dysli, and Occhslin [6,7] show how, similar to the the 
study of Hcllman to breaking symmetric keys, a time- 
memory trade off can be exploited to make the search 
for the key to use more efficient. We note that none 
of these systems are practical for RFID systems where 
millions of tags possess unique secret keys. 

We refer to Juels [25] (and the excellent bibliogra- 
phy 4 maintained by Gildas Avoine) for a much more 
extensive survey of proposed solutions, and [ ] for a 
more formal analysis of the privacy properties actually 
achieved by some of the proposed authentication pro- 
tocols. 



6 Alternative approaches 

Spickcrmann et al. [40] observe that although there 
are many protocols and proposals for limiting access 
to RFID tags (either by killing them completely or 
by requiring the reader to authenticate), few systems 

3 Note that the database can keep a shadow copy of idi and 
hence can precompute the next expected value g(h(idi)). 

4 http://www.avoine.net/rfid/ 
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have been proposed that allow effective and fine grained 
control over access permissions. Recent research efforts 
have tried to bring the user back into control. Notable 
examples arc agency tools like the RFID Guardian [36] 
and the Privacy Coach [If], as well as the "resurrecting 
duckling" [4f] principle of Stajano and Anderson. 

6.1 Design philosophies 

The "resurrecting duckling" [41] security policy model 
of Stajano and Anderson is an example of a general 
design philosophy applicable to the Internet of Things, 
that aims to put the user in better control of the de- 
vices that he owns or the devices that surround him. 
The principle is based in analogy to the biological prin- 
ciple of imprinting discovered by Lorentz [29], which 
describes the initial bonding process between hatched 
ducklings and their (supposed) parents. In this model 
a device is in two possible states: imprintable or im- 
printed. When imprintable, anyone can take ownership 
of the device. In doing so, the device becomes imprinted. 
Only the owner of an imprinted device may cause the 
device to 'die', bringing it back to its imprintable state 
(and resetting all other settings to default, essentially 
bringing the device back in a virgin, new-born, state). 
Additionally, an owner of a device may change security 
policies on the device, granting certain rights to other 
users. This allows an owner of a device to lend the de- 
vice to another user, and delegate a subset of its power 
to this user. 

More models like this need to be developed to better 
understand the nature of the Internet of Things. 

6.2 Agency tools 

The RFID Guardian and the Privacy Coach can be 
classified as agency tools: tools that support the user 
to make choices and to impose those choices on the 
world [8]. Such tools put the user at the centre of the 
Internet of Things. 

The RFID Guardian [36] is best understood as a 
personal firewall between the RFID tags carried by a 
user, and the world of RFID readers that surround the 
user. The user programs the RFID Guardian to grant 
or deny access to specific tags from certain readers, 
possibly depending on the current context. The RFID 
Guardian performs this task by selectively jamming ra- 
dio signals if it detects a reader that tries to access a 
tag for which access is denied. 

The Privacy Coach [11] puts the user in control in a 
different way. It is an application running on a mobile 
phone equipped with a reader that can read RFID tags. 



Certain such NFC enabled phones are currently on the 
market. The Privacy Coach supports users in making 
privacy decisions when confronted with RFID tags on 
items they buy (or otherwise obtain). It functions as 
a mediator between customer privacy preferences and 
corporate privacy policies, trying to find a match be- 
tween the two, and informing the user of the outcome. 

The Privacy Coach itself does not block or prevent 
any privacy infringements. Instead, it stores the user 
privacy preferences in a profile on the mobile phone. 
Privacy policies associated with RFID tags are down- 
loaded from a central database whenever the user scans 
such a tag using the NFC reader. Producers of goods 
tagged by RFID will similarly store the company pri- 
vacy policy associated with these tags in a central database. 
Alternatively, consumer organisations may create such 
privacy policies for companies that do not provide these 
policies themselves. 

7 Future challenges 

The remainder of this essay is devoted to describing the 
main research challenges ahead. 

7.1 Privacy beyond data minimisation 

Current approaches to protect our privacy focus on data 
minimisation. This is as counterproductive in the In- 
ternet of Things as it is in social networks: both only 
'work' if you are willing to share your data. This is 
not to say that in order for the IoT to be useful, your 
personal data needs to be shared with everybody. Like 
in social networks, context separation [33] will play an 
important role in the Internet of Things as well. But 
simply refusing to share your data with anybody will 
not be possible (although in certain cases, anonymity 
mechanisms may still be applicable). 

This means that privacy enhancing technologies need 
to be developed that prevent the abuse of personal data 
once it is collected [22], and that prevent the leakage of 
information from one context to the other (thus main- 
taining contextual integrity [33]). Design philosophies, 
and derived design patterns, for the Internet of Things 
need to be developed that accomplish this. Moreover, 
a common privacy engineering practise based on these 
principles needs to be established. These privacy pre- 
serving approaches need to be applicable to heteroge- 
neous sets of devices [43] , and need to be user friendly. 
This adds to the research challenge already present. 

Several approaches can be followed to achieve this. 
One approach is to collect and maintain user profiles 
and preferences on a personal device held by the user 
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(like a mobile phone) instead of by the infrastructure 
directly. The core data needed to make the ambient 
infrastructure intelligent is then still under control of 
the user. The infrastructure can query the user profile 
through standard interfaces provided by the personal 
device. In a way the personal device operates as a per- 
sonal firewall. This approach is somewhat similar to re- 
cent studies into privacy enhanced profiling of website 
visitors. These techniques aim to implement targeted 
advertising on websites [3,44] without the usually as- 
sociated privacy problem of collecting user profiles cen- 
trally. 

Alternatively, user profiles can be split into many 
small parts and stored at many different, uncorrclatcd, 
locations. This can even be done in such a way that 
wrong information is encoded in some of these parts. 
The parts can be combined using secret sharing tech- 
niques. In case of wilfully distributing wrong informa- 
tion, the wrong data can be filtered out using majority 
voting and other fault tolerant techniques [24] once all 
the parts (correct and incorrect ones) have been col- 
lected. 



7.2 Security 

The main security properties that are relevant for the 
Internet of Things are integrity, authenticity, and avail- 
ability. These need to be achieved in an environment 
where the endpoints are mostly very resource constrained 
Endpoints are typically tags, sensors and actuators, 
that need to be produced at the lowest possible cost (be- 
cause a proper implementation of the Internet of Things 
will need so many of these nodes to be deployed). These 
endpoints have little memory, little processing power, 
and slow, short range and unreliable communication 
links. Security (and privacy) therefore need to be built 
upon resource efficient cryptographic primitives. This 
remains a challenging area of research. 

Also, the Internet of Things will lack a single cen- 
tral authority. This calls for models for decentralised 
authentication [43], including strategies for revocation 
and key-distribution in an ad-hoc fashion. In general, 
security measures need to support the conflicting re- 
quirements of multiple stakeholders (e.g., privacy pro- 
tection versus accountability), in order to support mul- 
tilatcrally secure cooperations [47], and should be de- 
signed in such a way that they can be used by casual 
users. This has to be achieved without the coordinating 
role of a central authority trusted by all stakeholders. 

The same holds not only for devices. Reliability (or 
rather integrity) of the data collected by the Internet 
of Things and provided back to the users is also an 



issue. Open source data mining tools to verify the re- 
liability of the data may help in this respect. An ex- 
ample of an area where this is especially important is 
health care applications of the Internet of Things where 
patients share data to crowd-source knowledge about 
their diseases, and subsequently use that data to im- 
prove their standard over living 5 . The diffusion of harm- 
ful and unsubstantiated knowledge and information is 
a real possibility. However, experiences with similarly 
crowd-sourced knowledge bases like Wikipedia suggest 
that in an open system, malicious knowledge tends to 
gradually be muted out [42]. 

We note that security can also benefit from the ex- 
istence of an Internet of Things. Through the IoT it 
is much easier to reliably collect information about the 
context in which a certain actor tries to access a cer- 
tain resource. The current location of the user, whether 
the user is alone in the room, whether someone else is 
approaching, whether certain devices are or are not in 
the vicinity: all these aspects can be determined. This 
allows us to specify much more fine grained access con- 
ditions, that can still be fulfilled given a much richer 
data set at the time the resource is accessed. 



7.3 Establishing trustability 

Establishing trust in the Internet of Things should go 
beyond the mere user perception side of the issue, but 
instead focus on measurable ways to establish trusta- 
bility, and on tools to support this. Trustability aims to 
answer questions like: How well does the infrastructure 
safeguard the data you entrust to it? What are the fu- 
ture consequences of its use? How clearly and openly do 
infrastructure providers advise you of your rights and 
responsibilities? What guarantees of future reliability 
and availability does the infrastructure give you? 

Very few of these tools exist to help the user to de- 
termine the trustability of the infrastructure it is engag- 
ing in. The issue is much more complex than simply de- 
termining whether a certain public terminal is authentic 
before entering your PIN code on it [4] (although cer- 
tainly knowing the terminal is authentic helps to some 
extent). Methods based on direct anonymous attesta- 
tion [10] using Trusted Platform Modules (TPM) (that 
establish that a certain device is a known good state) 
are of limited value. The sheer heterogeneity of the de- 
vices that make up the Internet of Things make it im- 
possible to enumerate all the good states each of these 
devices can be in. Moreover, because the IoT has no 
central authority, and as context matters, the question 



cf. http : //www. patient si ikeme . com/ 
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is who to turn to to tell you what a good state of a 
certain device is in the first place. 

Most importantly though, establishing trust is a 
process, a process that progresses over time in which 
users adjust their trust assessment in the devices and 
infrastructures they engage in with every transaction 
they perform with them. The use of personal, mobile, 
devices and applications (cf. [46]) to support the user 
in this process need to be developed. These could for 
instance be used to predict the future consequences 
of current engagements with the Internet of Things 
(cf. [22]). These ideas could build upon the results ob- 
tained in the Smart Products 6 project that aim to em- 
bed "proactive knowledge" into the IoT and consider 
e.g. usability and security in access control mechanisms 
based on machine learning techniques to make the con- 
figuration of the IoT manageable by casual users. 

Transparency is a key factor in the aforementioned 
process. Transparency helps the user to assess the trusta- 
bility of a party in a transaction. It also provides useful 
mcta-information that is essential to establish the in- 
tegrity of the data collected by the IoT. We therefore 
need to engineer built-in transparency for the IoT, and 
develop the concept of transparency by design similar 
to privacy by design. 

7.4 Governance 

[...] the more autonomous and intelligent 'things' 
get, problems like the identity and privacy of 
things, and responsibility of things in their act- 
ing will have to be considered [43]. 

Governance can be defined as "the use of institu- 
tions and structure of authority to allocate resources 
and coordinate or control activity in society" [9]. The 
three main stakeholders (government, the private sector 
and the civil society) should be represented in these in- 
stitutions and structures of authority. But what these 
institutions should be and what this structure of au- 
thority should look like is currently unclear for the In- 
ternet of Things 7 . 

It is pretty much a chicken-and-egg problem. 

Because there is no common view on the future and 
design of the Internet of Things, it is hard to define 
an appropriate governance for it. As particular case in 
point, it has been observed that things are bound to 
physical locations. It is therefore foreseen that the In- 
ternet of Things will have a much more localised nature 
than the current Internet. In fact there may not even 

6 http : //www. smartproducts-pro ject . eu/ 

7 Private communication, from the Internet of Things Expert 
Group [15] 



be a single Internet of Things. Instead, there may sev- 
eral networks of things, perhaps each using different 
technology, operating as pretty much isolated islands 
of interconnected things. 

On the other hand, because of a lack of governance, 
there is no (visible and accountable) converging force 
that will slowly bring together the different views and 
designs for the Internet of Things. This lack of trans- 
parency and openness may have a negative impact on 
the acceptance of this new technology in our society. 
Especially because the consequences of this new tech- 
nology are quite radical. 

This chicken-and-egg problem has to be resolved, 
because governance cannot be retrofitted. The history 
of the development of the Internet itself may serve as 
an example. Even though the Domain Name System 
(DNS) works, for better or worse, from a technical per- 
spective, it has severe legitimacy problems because of 
decisions made early on that did not foresee the devel- 
opment of the Internet as it is now. Trying to change 
the governance structure today proves to be very dif- 
ficult because of vested commercial and governmental 
interests. 

When setting up a governance structure care has to 
be taken not to overdo it. The very power of the Inter- 
net, that made it grow as fast as it did, is the almost 
'anarchistic' nature of the underlying technology [28]. 
This has ensured that no single party can control the 
whole network, and that all types of traffic are treated 
equal. 
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